Tag Archives: training

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Vlado at FreeDigitalPhotos.net

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations. These attacks are likely to be followed by sweeping phishing scams from the African continent. There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same. Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people. I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees. I also predict a significant challenge for many organisation which hold personal data. The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens. With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO). Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited. This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017

Related to the above, more Data Centre Security certifications due to contractor (customer) requirements

More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target

Cyber Essentials leads to more demand for ISO27001 certifications from SMEs

Privileged insider remains the main Threat Source & Actor

More incidents relating to online cyber-extortion / ransomware

With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever

More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware in business. Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Another great post from one of our consultants, this time from Dale Penn on the topic of Social Engineering.

Introduction

Social engineering is still the most prolific and successful method of hacking. It is a non-technical attack that relies on a user being tricked or coerced into some form of action which presents the attacker with a window of exploitation and can bypass even the most robust of technical controls. It is much easier to coerce a member of staff into providing information than is to mount a technical attack on a web application or network connection.

It is important to note that the threats from Social engineering tactics are almost always under rated by enterprise organisations even though they form an integral part of most modern day attacks. The reason behind this is that there currently exists a trend within enterprise organisations to fixate on the technical solutions to information security threats and neglect the human element.

Any organisation that wants to protect its information assets must be aware of the current Social Engineering threats.

The top 3 Social Engineering Methodologies

Phishing – This is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. A Phishing email will usually contain a link which will redirect the user to a false webpage where they are asked to provide personal information such as usernames and passwords. Once entered this information is captured and ready for use by the hacker. Gone are the days were Phishing emails will contain poor grammar and spelling and were easy to pick out. Modern day Phishing emails are professionally created and very convincing.

Vishing – This is the practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing.” A common attack method is to call a user within an organisation and pretend to be the IT Helpdesk. From there the attacker will coerce the user into “confirming” their user name and password

We all want to help – naturally. We also want to make the shouting stop…

Pretexting – This is the practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system. This is where where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organisation or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Counter Measures

Education, Education, Education – All users should be appropriately trained to recognise these methods of attack. The work force should adopt a culture of healthy scepticism when approached for sensitive information and not take things at face value.

Develop policies and procedure to identify and handle sensitive information so staff will know what is sensitive to the organisation and what they can and can’t do with it.

Midland based Cyber/Information Security Consultancy and members of the Malvern Cyber Security Cluster, Advent IM enjoyed some serious discussion of how to bridge the cyber security skills gap with James Morris, the MP for Halesowen and Rowley Regis MP.

Advent IM, the UKs leading independent holistic security consultancy welcomed local MP James Morris, to their office and training centre on 20th February. During the visit, Mr Morris met with members of the team and the firm’s Directors, Julia McCarron and Mike Gillespie and they highlighted the ongoing cyber security skills gap that the UK is experiencing. Mr Morris acknowledged this as a topic he himself was very keen to address with the local college and that he was keen to be a part of the solution to entry level skill building and a career path for young people interested in starting a career in cyber security.

Advent IM Director, Mike Gillespie has discussed the cyber skills gap before he joined Cyber Skills Challenge CEO, Stephanie Daman in a discussion on BBC Radio4 on the topic last year and takes every opportunity to discuss it and raise awareness of the threat that a continuing gulf between UK security needs and the number of available professionals forms. He said, “The youngsters growing up now are using technology in an ever increasing array of ways. The Internet of Things connects people with their information in an unprecedented way, and the workplace and home or leisure increasingly play in the same space. It is vital we get the upcoming generation interested in cyber security, not only as a career path toward being a security professional, which is what the UK plc really needs, but also because security is becoming part of every employees life as their role in organisational security is increasingly acknowledged. We cannot afford to allow our approach to security to remain static; threat and risk to business is a dynamic landscape and we need to develop our talent to deal with this landscape in the same evolved and proactive way. Bringing young people into security via apprenticeships and helping them develop down this route is going to form a vital part of protecting UK plc in years to come.”

Advent IM is keen to explore options for bridging the skills gap in the local community and supporting Mr Morris in the challenge of developing education and training programs that will enable local youngsters become the cyber security experts of the future.

Issued: 23.02.15 Ends Ref: VIP-230215- Advent

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats. Mike Gillespie is MD of Advent IM, Director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Security Select Committee.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project

Last year, the de facto Information Security standard ISO/IEC27001 underwent changes and some important alterations have been made to various controls and clauses. This means that organisations who are already certified or compliant to ISO27001:2005 are now having to think about transitioning their Information Security Management System to the 2013 version. Because of this, organisations have increasingly been seeking support in successfully completing this transition. Advent IM, stepped up to the mark after the initial release of the new version, with a tool to help businesses already certified to map the controls and clauses against the 2005 version. But the growth in requests for further support has been marked and the team of specialists at Advent IM were asked to provide a tailored made course for those currently certified or compliant to ISO27001:2005 to transition to 2013.

Advent IM today announced the availability of this bespoke course which will work alongside the mapping tool to support Information Security Managers who are navigating their way through the changes. Advent IM’s track record in both successful certifications and in Information Security training, make it perfectly placed to offer this training. Operations Director, Julia McCarron said, “We were very pleased to be asked to supply this support. It’s great to know organisations continue to take their commitment to quality Information Security Management Systems seriously. ISO27001 has proven to be an enormously helpful framework; its comprehensive nature makes it a solid choice for a holistic approach to securing information assets. The transition to ISO27001:2013 need not be onerous; we are highly experienced with this standard and our vision is to help organisations have as smooth and successful a transition as possible.”

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

Designed to help delegates understand the HMG accreditation process and how to identify, assess and treat risks appropriately following the guidance in IAS Stds 1&2, associated supplement and GPG47. This course is only open to public sector employees. Please contact us for further information on 0121 559 6699.

There are a couple of spaces left on October’s Public Sector Senior Information Risk Owner (SIRO) training course.

In summary:

Having successfully developed and delivered SIRO Training for the UK’s Police Forces since 2012, we have redesigned our popular and well respected SIRO training course for the broader public sector.

Our training course will give you a greater understanding of your role and responsibilities as SIRO for your organisation. It will also cover both the principles of information risk management and information assurance using several scenario based exercises to test and improve your understanding of the crisis management issues in this area. At the end of the training, you will have the confidence to deal with information risk and incidents should they occur within your organisation.

As usual it will be allocated on first come first served unless there are cancellations.

If you are from the Public Sector and either want to find out more about this training and why it is so vital to your organisation or you want to book your SIRO onto this course, please visit the website. http://www.advent-im.co.uk/siro.aspx or email us at bestpractice@advent-im.co.uk with PS SIRO in the subject.

October 8th at Advent IM training suite in Birmingham (just off the M5)

NB. This is Public Sector only. If you are from the private sector and are looking for Information Security training, please contact us on 0121 559 6699 or 0207 100 1124 or email us at bestpractice@advent-im.co.uk